1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

NOD32 detected Mebroot Trojan in memory - volume wave mutes, popups, clicking sounds

Discussion in 'Virus & Other Malware Removal' started by Noam09, Jul 12, 2010.

Thread Status:
Not open for further replies.
Advertisement
  1. Noam09

    Noam09 Thread Starter

    Joined:
    Jan 21, 2008
    Messages:
    59
    Hi. I hope the title wasn't too detailed.
    I believe I have the same infection as a few other posts I've been seeing around the next the last couple of days.
    NOD32 detected a Mebroot Trojan it can't clean in the operating memory, and I believe it's causing my PC's weird behavior.
    Every now and then the volume wave drops to 0 (mute), and every now and then IE ad popups appear, even though I am a Firefox user, and I can hear clicking noises in the background every now and then.
    I would really appreciate any help I can get removing this. What I fear most is that it will spread to other computers on the network or to my IM/email/FB contacts.

    Also, here is a HijackThis log, the pinned guide said I should post this.

    Thank you very much to anyone willing to help! :)

    Code:
    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 3:38:59 PM, on 7/12/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal
    
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    C:\Program Files\DU Meter\DUMeterSvc.exe
    C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Sandboxie\SbieSvc.exe
    C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Google\Update\GoogleUpdate.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Microsoft IntelliType Pro\itype.exe
    C:\Program Files\Process Lasso\processgovernor.exe
    C:\Program Files\Backwards Hebrew\hebrew.exe
    C:\Program Files\Microsoft IntelliPoint\ipoint.exe
    C:\Program Files\ClipX\clipx.exe
    C:\Program Files\Everything\Everything.exe
    C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
    C:\Program Files\Intel Audio Studio\Intel Audio.exe
    C:\Program Files\PeerGuardian2\pg2.exe
    C:\Program Files\Taskbar Shuffle\taskbarshuffle.exe
    C:\Program Files\Rainlendar2\Rainlendar2.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\DU Meter\DUMeter.exe
    C:\Program Files\VisualTaskTips\VisualTaskTips.exe
    C:\Program Files\UberIcon\UberIcon Manager.exe
    C:\Program Files\Process Lasso\ProcessLasso.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Documents and Settings\Noam\Desktop\HackEm\Ketamine.2007.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    C:\Program Files\Launchy\Launchy.exe
    C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
    C:\Program Files\VirtuaWin\VirtuaWin.exe
    C:\Program Files\VirtuaWin\modules\WinList.exe
    C:\Program Files\Sheep Friends\Billy\BillySongDumper.v.0.1.0.0\BillySD.exe
    C:\Program Files\Samurize\Client.exe
    C:\Program Files\AnalogX\MaxMem\maxmem.exe
    C:\Program Files\PowerMenu\PowerMenu.exe
    C:\Program Files\Yz Dock\YzDock.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\FlashGet\flashget.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
    
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local;*.local
    O1 - Hosts: 216.55.133.9 handybackup.com www.handybackup.com www.softlogica.com softlogica.com
    O2 - BHO: IDMIEHlprObj Class - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.36.0\gears.dll
    O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
    O3 - Toolbar: QT TabBar - {d2bf470e-ed1c-487f-a333-2bd8835eb6ce} - mscoree.dll (file missing)
    O3 - Toolbar: QT Tab Standard Buttons - {D2BF470E-ED1C-487F-A666-2BD8835EB6CE} - mscoree.dll (file missing)
    O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
    O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
    O4 - HKLM\..\Run: [ProcessGovernor] C:\Program Files\Process Lasso\processgovernor.exe
    O4 - HKLM\..\Run: [Hebrew] C:\Program Files\Backwards Hebrew\hebrew.exe
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
    O4 - HKLM\..\Run: [ClipX] C:\Program Files\ClipX\clipx.exe
    O4 - HKLM\..\Run: [Everything] "C:\Program Files\Everything\Everything.exe" -startup
    O4 - HKLM\..\Run: [DNS7reminder] "C:\Program Files\Nuance\NaturallySpeaking10\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\Nuance\NaturallySpeaking10\Ereg.ini
    O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
    O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\Intel Audio.exe" TRAY
    O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
    O4 - HKCU\..\Run: [Taskbar Shuffle] C:\Program Files\Taskbar Shuffle\taskbarshuffle.exe
    O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
    O4 - HKCU\..\Run: [VisualTaskTips] C:\Program Files\VisualTaskTips\VisualTaskTips.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [UberIcon] "C:\Program Files\UberIcon\UberIcon Manager.exe"
    O4 - HKCU\..\Run: [ProcessSupervisorGUI] C:\Program Files\Process Lasso\ProcessLasso.exe /tray
    O4 - HKCU\..\Run: [ProxyFirewall] C:\Program Files\ProxyFirewall\ProxyFirewall.exe
    O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Noam\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKCU\..\Run: [eMuleAutoStart] C:\Documents and Settings\Noam\Desktop\HackEm\Ketamine.2007.exe -AutoStart
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
    O4 - Startup: BillySD.lnk = C:\Program Files\Sheep Friends\Billy\BillySongDumper.v.0.1.0.0\BillySD.exe
    O4 - Startup: Client Default.lnk = C:\Program Files\Samurize\Client.exe
    O4 - Startup: Launchy.lnk = C:\Program Files\Launchy\Launchy.exe
    O4 - Startup: maxmem.lnk = C:\Program Files\AnalogX\MaxMem\maxmem.exe
    O4 - Startup: mIRC.lnk = C:\Program Files\mIRC\mirc.exe
    O4 - Startup: NOD32.lnk = C:\Program Files\Eset\ESET NOD32 Antivirus\egui.exe
    O4 - Startup: PowerMenu.lnk = C:\Program Files\PowerMenu\PowerMenu.exe
    O4 - Startup: YzDock.lnk = C:\Program Files\Yz Dock\YzDock.exe
    O4 - Global Startup: Bluetooth.lnk = ?
    O4 - Global Startup: Launchy.lnk = C:\Program Files\Launchy\Launchy.exe
    O4 - Global Startup: VirtuaWin.lnk = C:\Program Files\VirtuaWin\VirtuaWin.exe
    O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
    O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
    O8 - Extra context menu item: + &Mass Downloader: download this file - C:\Program Files\Mass Downloader\Add_Url.htm
    O8 - Extra context menu item: + Mass Downloader: download &All files - C:\Program Files\Mass Downloader\Add_All.htm
    O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
    O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
    O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
    O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://K:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
    O8 - Extra context menu item: En&queue current page with Bulk Image Downloader - file://C:\Program Files\Bulk Image Downloader\iemenu\iebidqueue.htm
    O8 - Extra context menu item: Enqueue link target with Bulk Ima&ge Downloader - file://C:\Program Files\Bulk Image Downloader\iemenu\iebidlinkqueue.htm
    O8 - Extra context menu item: Open &link target with Bulk Image Downloader - file://C:\Program Files\Bulk Image Downloader\iemenu\iebidlink.htm
    O8 - Extra context menu item: Open current page with Bulk I&mage Downloader - file://C:\Program Files\Bulk Image Downloader\iemenu\iebid.htm
    O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    O8 - Extra context menu item: Translate with &Babylon - res://C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
    O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.36.0\gears.dll
    O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.36.0\gears.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - K:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - K:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
    O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
    O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.systemrequirementslab.com/srl_bin/sysreqlab_srl.cab
    O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
    O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
    O16 - DPF: {40F576AD-8680-4F9E-9490-99D069CD665F} (System Requirements Lab Class) - http://srtest-cdn.systemrequirementslab.com.s3.amazonaws.com/bin/sysreqlabdetect.cab
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{5BE9EA87-34C5-449F-84FE-25F05BAA03A5}: NameServer = 10.0.0.138
    O17 - HKLM\System\CCS\Services\Tcpip\..\{B7E862E2-63E9-42B0-BE5A-3BEF46E8F2C4}: NameServer = 10.0.0.138
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - AppInit_DLLs: prio.dll
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    O23 - Service: DU Meter Service (DUMeterSvc) - Hagel Technologies Ltd - C:\Program Files\DU Meter\DUMeterSvc.exe
    O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
    O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
    O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: HealthMonitor - Unknown owner - f:\apps\HealthMonitor\HealthMonitor.exe (file missing)
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
    O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
    
    --
    End of file - 16205 bytes
    
    Cheers!
     
  2. RPMcMurphy

    RPMcMurphy Malware Specialist

    Joined:
    Apr 26, 2010
    Messages:
    444
    Hello Noam09 and welcome to Tech Support Guy. Please follow these guidelines while we work on your PC:

    • Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I’ve given you the “All clear.” Absence of symptoms does not mean your machine is clean!
    • Please do not run any scans or install/uninstall any applications without being directed to do so.
    • Please follow my instructions carefully and in the order they are posted.
    • Any underlined text in my posts indicates a clickable link.
    • You should print any instructions I give you for ease of use and reference.
    • If you have any questions at all, please stop and ask before proceeding.
    • I remove threads from my subscription list after 5 days of inactivity. If you will not be able to respond to a post within 5 days, please let me know in advance.

    [​IMG] Please download DDS by sUBs from one of the following links and save it to your desktop.

    DDS.scr
    DDS.pif

    • Disable any script blocking protection (How to Disable your Security Programs)
    • Double click DDS icon to run the tool (may take up to 3 minutes to run)
    • When done, DDS.txt will open.
    • After a few moments, attach.txt will open in a second window.
    • Save both reports to your desktop.
    ---------------------------------------------------
    • Post the contents of the DDS.txt report in your next reply
    • Attach the Attach.txt report to your post by scroling down to the Attachments area and then clicking Browse. Browse to where you saved the file, and click Open and then click UPLOAD.

    [​IMG] Download GMER Rootkit Scanner from here to your desktop.

    • Double click the exe file. If asked to allow gmer.sys driver to load, please consent .
    • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.


      [​IMG]
      Click the image to enlarge it
    • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
      • IAT/EAT
      • Drives/Partition other than Systemdrive (typically C:\)
      • Show All (don't miss this one)
    • Then click the Scan button & wait for it to finish.
    • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
    • Save it where you can easily find it, such as your desktop, and post it in reply.

    **Caution**
    Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


    If you have trouble running GEMR:

    • Make sure that your security software is disabled
    • Uncheck the box next to "Files" this time also
    • If you still can't run it, try in the Safe Mode

    [​IMG] Download and run HAMeb_check.exe
    Post the contents of the resulting log.

    Please include the following in your next post (Please don't wrap them in code tags anymore):

    • DDS.txt and Attach.txt logs
    • GMER log
    • HAMeb_check log
     
  3. Noam09

    Noam09 Thread Starter

    Joined:
    Jan 21, 2008
    Messages:
    59
    Thanks for your help RPMcMurphy.
    The first time I ran GMER I got BSOD, so I unchecked "Files" and this is what I got...
    Here are the logs:

    DDS.txt:


    DDS (Ver_10-03-17.01) - NTFSx86
    Run by Noam at 18:08:56.85 on Mon 07/12/2010
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
    Microsoft Windows XP Professional 5.1.2600.3.1255.1.1033.18.3326.2189 [GMT 3:00]

    AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
    FW: COMODO Firewall Pro *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

    ============== Running Processes ===============

    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    svchost.exe
    svchost.exe
    svchost.exe 4
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    C:\Program Files\DU Meter\DUMeterSvc.exe
    C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Sandboxie\SbieSvc.exe
    C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
    svchost.exe 4
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Google\Update\GoogleUpdate.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Microsoft IntelliType Pro\itype.exe
    C:\Program Files\Process Lasso\processgovernor.exe
    C:\Program Files\Backwards Hebrew\hebrew.exe
    C:\Program Files\Microsoft IntelliPoint\ipoint.exe
    C:\Program Files\ClipX\clipx.exe
    C:\Program Files\Everything\Everything.exe
    C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
    C:\Program Files\Intel Audio Studio\Intel Audio.exe
    C:\Program Files\PeerGuardian2\pg2.exe
    C:\Program Files\Taskbar Shuffle\taskbarshuffle.exe
    C:\Program Files\Rainlendar2\Rainlendar2.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\DU Meter\DUMeter.exe
    C:\Program Files\VisualTaskTips\VisualTaskTips.exe
    C:\Program Files\UberIcon\UberIcon Manager.exe
    C:\Program Files\Process Lasso\ProcessLasso.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Documents and Settings\Noam\Desktop\HackEm\Ketamine.2007.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    C:\Program Files\Launchy\Launchy.exe
    C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
    C:\Program Files\VirtuaWin\VirtuaWin.exe
    C:\Program Files\VirtuaWin\modules\WinList.exe
    C:\Program Files\Sheep Friends\Billy\BillySongDumper.v.0.1.0.0\BillySD.exe
    C:\Program Files\Samurize\Client.exe
    C:\Program Files\AnalogX\MaxMem\maxmem.exe
    C:\Program Files\PowerMenu\PowerMenu.exe
    C:\Program Files\Yz Dock\YzDock.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\FlashGet\flashget.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Documents and Settings\Noam\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = about:blank
    uInternet Settings,ProxyOverride = local;*.local
    uInternet Settings,ProxyServer = 127.0.0.1:8080
    mWinlogon: UIHost=c:\windows\system32\logonuiX.exe
    BHO: IDMIEHlprObj Class: {0055c089-8582-441b-a0bf-17b458c2a3a8} - c:\program files\internet download manager\IDMIECC.dll
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:\program files\flashget\jccatch.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
    BHO: FlashFXP Helper for Internet Explorer: {e5a1691b-d188-4419-ad02-90002030b8ee} - c:\progra~1\flashfxp\IEFlash.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    BHO: FlashGet GetFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - c:\program files\flashget\getflash.dll
    TB: QT TabBar: {d2bf470e-ed1c-487f-a333-2bd8835eb6ce} - mscoree.dll
    TB: QT Tab Standard Buttons: {d2bf470e-ed1c-487f-a666-2bd8835eb6ce} - mscoree.dll
    TB: {FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - No File
    uRun: [PeerGuardian] c:\program files\peerguardian2\pg2.exe
    uRun: [Taskbar Shuffle] c:\program files\taskbar shuffle\taskbarshuffle.exe
    uRun: [Rainlendar2] c:\program files\rainlendar2\Rainlendar2.exe
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    uRun: [DU Meter] c:\program files\du meter\DUMeter.exe
    uRun: [VisualTaskTips] c:\program files\visualtasktips\VisualTaskTips.exe
    uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
    uRun: [UberIcon] "c:\program files\ubericon\UberIcon Manager.exe"
    uRun: [ProcessSupervisorGUI] c:\program files\process lasso\ProcessLasso.exe /tray
    uRun: [ProxyFirewall] c:\program files\proxyfirewall\ProxyFirewall.exe
    uRun: [Google Update] "c:\documents and settings\noam\local settings\application data\google\update\GoogleUpdate.exe" /c
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
    uRun: [eMuleAutoStart] c:\documents and settings\noam\desktop\hackem\Ketamine.2007.exe -AutoStart
    mRun: [LogonStudio] "c:\program files\wincustomize\logonstudio\logonstudio.exe" /RANDOM
    mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
    mRun: [ProcessGovernor] c:\program files\process lasso\processgovernor.exe
    mRun: [Hebrew] c:\program files\backwards hebrew\hebrew.exe
    mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
    mRun: [ClipX] c:\program files\clipx\clipx.exe
    mRun: [Everything] "c:\program files\everything\Everything.exe" -startup
    mRun: [DNS7reminder] "c:\program files\nuance\naturallyspeaking10\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\nuance\naturallyspeaking10\Ereg.ini
    mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
    mRun: [IntelAudioStudio] "c:\program files\intel audio studio\Intel Audio.exe" TRAY
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
    dRunOnce: [RunNarrator] Narrator.exe
    StartupFolder: c:\docume~1\noam\startm~1\programs\startup\billysd.lnk - c:\program files\sheep friends\billy\billysongdumper.v.0.1.0.0\BillySD.exe
    StartupFolder: c:\docume~1\noam\startm~1\programs\startup\client~1.lnk - c:\program files\samurize\Client.exe
    StartupFolder: c:\docume~1\noam\startm~1\programs\startup\launchy.lnk - c:\program files\launchy\Launchy.exe
    StartupFolder: c:\docume~1\noam\startm~1\programs\startup\maxmem.lnk - c:\program files\analogx\maxmem\maxmem.exe
    StartupFolder: c:\docume~1\noam\startm~1\programs\startup\mirc.lnk - c:\program files\mirc\mirc.exe
    StartupFolder: c:\docume~1\noam\startm~1\programs\startup\nod32.lnk - c:\program files\eset\eset nod32 antivirus\egui.exe
    StartupFolder: c:\docume~1\noam\startm~1\programs\startup\powerm~1.lnk - c:\program files\powermenu\PowerMenu.exe
    StartupFolder: c:\docume~1\noam\startm~1\programs\startup\yzdock.lnk - c:\program files\yz dock\YzDock.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\launchy.lnk - c:\program files\launchy\Launchy.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\virtua~1.lnk - c:\program files\virtuawin\VirtuaWin.exe
    mPolicies-system: EnableLUA = 0 (0x0)
    IE: &Download All with FlashGet - c:\program files\flashget\jc_all.htm
    IE: &Download with FlashGet - c:\program files\flashget\jc_link.htm
    IE: + &Mass Downloader: download this file - c:\program files\mass downloader\Add_Url.htm
    IE: + Mass Downloader: download &All files - c:\program files\mass downloader\Add_All.htm
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: Download All Links with IDM - c:\program files\internet download manager\IEGetAll.htm
    IE: Download FLV video content with IDM - c:\program files\internet download manager\IEGetVL.htm
    IE: Download with IDM - c:\program files\internet download manager\IEExt.htm
    IE: E&xport to Microsoft Excel - k:\progra~1\micros~1\office12\EXCEL.EXE/3000
    IE: En&queue current page with Bulk Image Downloader - file://c:\program files\bulk image downloader\iemenu\iebidqueue.htm
    IE: Enqueue link target with Bulk Ima&ge Downloader - file://c:\program files\bulk image downloader\iemenu\iebidlinkqueue.htm
    IE: Open &link target with Bulk Image Downloader - file://c:\program files\bulk image downloader\iemenu\iebidlink.htm
    IE: Open current page with Bulk I&mage Downloader - file://c:\program files\bulk image downloader\iemenu\iebid.htm
    IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
    IE: Translate with &Babylon - c:\program files\babylon\babylon-pro\utils\BabylonIEPI.dll/Translate.htm
    IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
    IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashget\FlashGet.exe
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - k:\progra~1\micros~1\office12\ONBttnIE.dll
    IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
    Trusted Zone: apple.com\phobos
    Trusted Zone: apple.com\securemetrics
    Trusted Zone: itunes.com
    DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.systemrequirementslab.com/srl_bin/sysreqlab_srl.cab
    DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
    DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
    DPF: {40F576AD-8680-4F9E-9490-99D069CD665F} - hxxp://srtest-cdn.systemrequirementslab.com.s3.amazonaws.com/bin/sysreqlabdetect.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
    TCP: {5BE9EA87-34C5-449F-84FE-25F05BAA03A5} = 10.0.0.138
    TCP: {B7E862E2-63E9-42B0-BE5A-3BEF46E8F2C4} = 10.0.0.138
    Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
    AppInit_DLLs: prio.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
    LSA: Authentication Packages = msv1_0 relog_ap
    Hosts: 216.55.133.9 handybackup.com www.handybackup.com www.softlogica.com softlogica.com

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\noam\applic~1\mozilla\firefox\profiles\yrtomtrv.default\
    FF - prefs.js: browser.startup.homepage - hxxp://google.com
    FF - component: c:\documents and settings\noam\application data\idm\idmmzcc3\components\idmmzcc.dll
    FF - component: c:\program files\google\google gears\firefox\lib\ff36\gears.dll
    FF - plugin: c:\documents and settings\noam\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
    FF - plugin: c:\program files\google\picasa3\npPicasa2.dll
    FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
    FF - plugin: c:\program files\google\update\1.2.145.5\npGoogleOneClick8.dll
    FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
    FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll
    FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
    FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
    FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npJoostPlugin.dll
    FF - plugin: c:\program files\opera\program\plugins\nppl3260.dll
    FF - plugin: c:\program files\opera\program\plugins\nprpjplug.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
    c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

    ============= SERVICES / DRIVERS ===============

    R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-7-1 35168]
    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2006-10-10 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2007-2-27 67656]
    R2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};c:\program files\cyberlink\powerdvd8\000.fcl [2008-2-1 41456]
    R2 DUMeterSvc;DU Meter Service;c:\program files\du meter\DUMeterSvc.exe [2007-10-28 1386008]
    R2 ekrn;Eset Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2009-10-7 472280]
    R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
    R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
    R3 esihdrv;esihdrv;\??\c:\docume~1\noam\locals~1\temp\esihdrv.sys --> c:\docume~1\noam\locals~1\temp\esihdrv.sys [?]
    R3 fixustor;fixustor;c:\windows\system32\drivers\fixustor.sys [2007-10-8 7168]
    R3 HDDirect;Hard Disk Direct Control;c:\windows\system32\drivers\hddirect.sys [2010-7-12 12552]
    R3 RegKill;RegKill;c:\windows\system32\drivers\RegKill.sys [2007-2-16 11984]
    R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2009-1-5 103936]
    S0 kl1;kl1;c:\windows\system32\drivers\kl1.sys --> c:\windows\system32\drivers\kl1.sys [?]
    S2 HealthMonitor;HealthMonitor;f:\apps\healthmonitor\healthmonitor.exe --> f:\apps\healthmonitor\HealthMonitor.exe [?]
    S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2006-2-16 12872]
    S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]
    S4 AWService;Admin Works Agent X8;c:\program files\intel\idu\awServ.exe [2006-12-27 74520]
    S4 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [2007-5-3 155136]
    S4 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [2007-5-3 5248]
    S4 gupdate1c98ed4c812129d;Google Update Service (gupdate1c98ed4c812129d);c:\program files\google\update\GoogleUpdate.exe [2009-2-14 133104]

    ============== File Associations ===============

    .txt=Ascii File

    =============== Created Last 30 ================

    2010-07-12 12:38:18 0 d-----w- c:\program files\Trend Micro
    2010-07-12 12:23:13 12552 ----a-w- c:\windows\system32\drivers\hddirect.sys
    2010-07-11 14:02:39 72 ----a-w- c:\documents and settings\noam\defogger_reenable
    2010-07-11 13:25:59 0 d-----w- c:\docume~1\noam\applic~1\Malwarebytes
    2010-07-11 13:25:49 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2010-07-10 20:38:27 0 d-----w- c:\program files\WinMerge
    2010-06-29 09:19:27 0 d-----w- c:\program files\FAVC
    2010-06-26 17:45:43 0 d-----w- c:\program files\Garmin
    2010-06-21 19:38:41 0 d-----w- c:\program files\mkv2vob
    2010-06-20 10:37:29 0 d-----w- c:\program files\VirtualDJ
    2010-06-16 23:20:54 0 d-----w- c:\program files\Process Assassin
    2010-06-14 08:03:29 0 d-----w- c:\program files\Windows Resource Kits

    ==================== Find3M ====================

    2010-07-10 20:47:04 2198528 ----a-w- c:\windows\system32\logonuiX.exe
    2010-07-05 02:45:36 160624 ---ha-w- c:\windows\system32\mlfcache.dat
    2010-05-21 11:14:28 221568 ------w- c:\windows\system32\MpSigStub.exe
    2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-05-05 15:57:41 3994 ----a-w- c:\docume~1\noam\applic~1\SAS7_000.DAT
    2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
    2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
    2004-10-01 13:00:16 40960 ----a-w- c:\program files\Uninstall_CDS.exe
    2009-11-06 08:59:08 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat

    ============= FINISH: 18:09:51.37 ===============


    HAMeb:

    C:\Documents and Settings\Noam\Desktop\HAMeb_check.exe
    Mon 07/12/2010 at 18:38:12.53

    Account active No
    Local Group Memberships

    ~~ Checking profile list ~~

    No HelpAssistant profile in registry

    ~~ Checking for HelpAssistant directories ~~

    none found

    ~~ Checking mbr ~~

    Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

    device: opened successfully
    user: error reading MBR
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys
    kernel: MBR read successfully

    ~~ Checking for termsrv32.dll ~~

    termsrv32.dll was not found


    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
    ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv.dll

    ~~ Checking firewall ports ~~

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\GloballyOpenPorts\List]

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


    ~~ EOF ~~


    GMER

    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-07-12 18:38:05
    Windows 5.1.2600 Service Pack 3
    Running: x9516s4v.exe; Driver: C:\DOCUME~1\Noam\LOCALS~1\Temp\awloypoc.sys


    ---- System - GMER 1.0.15 ----

    SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xB32EE620]

    ---- Kernel code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB6AE7360, 0x3CEED5, 0xE8000020]
    init C:\WINDOWS\system32\drivers\fixustor.sys entry point in "init" section [0xB862B0E6]
    .text win32k.sys!EngAcquireSemaphore + 20E2 BF808308 5 Bytes JMP 89E704D0
    .text win32k.sys!EngFreeUserMem + 5BD2 BF80EE8F 5 Bytes JMP 89E70430
    .text win32k.sys!EngMultiByteToWideChar + 2F32 BF8A0D51 5 Bytes JMP 89E70750
    .text win32k.sys!EngMulDiv + 90FA BF8B4264 5 Bytes JMP 89E70610
    .text win32k.sys!XLATEOBJ_iXlate + 3A50 BF8B9E25 5 Bytes JMP 89E70570
    .text win32k.sys!EngUnicodeToMultiByteN + 1756 BF8C322E 5 Bytes JMP 89E706B0
    .text win32k.sys!PATHOBJ_bCloseFigure + 19F1 BF8F98FC 5 Bytes JMP 89E707F0
    C:\Program Files\CyberLink\PowerDVD\000.fcl entry point in "" section [0xB2573000]
    .clc C:\Program Files\CyberLink\PowerDVD\000.fcl unknown last section [0xB2574000, 0x1000, 0x00000000]
    C:\Program Files\CyberLink\PowerDVD8\000.fcl entry point in "" section [0xB2573000]
    .clc C:\Program Files\CyberLink\PowerDVD8\000.fcl unknown last section [0xB2574000, 0x1000, 0x00000000]

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[540] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 00]

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
    AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys
    AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
    AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
    AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)

    Device \FileSystem\Cdfs \Cdfs B0CF7400

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\[email protected] C:\Program Files\Alcohol Soft\Alcohol 120\
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\[email protected] 0
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\[email protected] 0xD2 0x57 0x4B 0x5D ...
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\[email protected] C:\Program Files\Alcohol Soft\Alcohol 120\
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\[email protected] 0
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\[email protected] 0xD2 0x57 0x4B 0x5D ...
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\[email protected] C:\Program Files\Alcohol Soft\Alcohol 120\
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\[email protected] 0
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\[email protected] 0xD2 0x57 0x4B 0x5D ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{2d18447e-f8a1-4bfd-b2bd-e2de6c700ca4}@Model 289
    Reg HKLM\SOFTWARE\Classes\CLSID\{2d18447e-f8a1-4bfd-b2bd-e2de6c700ca4}@Therad 20
    Reg HKLM\SOFTWARE\Classes\CLSID\{5a451738-9782-43b5-be40-1e81dcc2f9a5}@Model 77
    Reg HKLM\SOFTWARE\Classes\CLSID\{5a451738-9782-43b5-be40-1e81dcc2f9a5}@Therad 22
    Reg HKLM\SOFTWARE\Classes\CLSID\{5a451738-9782-43b5-be40-1e81dcc2f9a5}@MData 0x73 0xD5 0xCF 0xB8 ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}@scansk 0x80 0x41 0x24 0xF8 ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}@scansk 0x7E 0x70 0xAF 0x8A ...

    ---- EOF - GMER 1.0.15 ----
     

    Attached Files:

  4. RPMcMurphy

    RPMcMurphy Malware Specialist

    Joined:
    Apr 26, 2010
    Messages:
    444
    Hi Noam09,

    [​IMG] P2P - I see you have P2P software (uTorrent & eMule) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to malware infections. Malware authors use P2P filesharing as a major conduit to spread their wares. I would strongly recommend that you uninstall these now. You can do so via Control Panel >> Add or Remove Programs. If you choose to keep these applications, please do not use them until our fixes at TSG are complete.

    [​IMG] Please download DeFogger to your desktop.
    Double click DeFogger to run the tool.

    • The application window will appear
    • Click the Disable button to disable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • If it needs to, DeFogger may ask to reboot the machine - click OK

    IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.
    Do not re-enable these drivers until otherwise instructed.

    [​IMG] Please download Rootkit Unhooker and save it on your desktop.

    • Disable your security programs
    • Double click RKUnhookerLE.exe to run it
    • Click the Report tab, then click Scan
    • Check Drivers, Stealth Code, Files, and Code Hooks
    • Uncheck the rest, then click OK
    • When prompted to Select Disks for Scan, make sure C:\ is checked and click OK
    • Wait till the scanner has finished then go File > Save Report
    • Save the report somewhere you can find it. Click Close
    • Copy the entire contents of the report and paste it in your next reply.

    Note - You may get this warning it is ok, just ignore it:
    "Rootkit Unhooker has detected a parasite inside itself!
    It is recommended to remove parasite, okay?"​
    [​IMG] Download Bootkit remover to your desktop
    This is a rar file if you do not have a program to open it then download and install Peazip

    • Extract Remover.exe to your desktop
    • Right click Remover.exe and select Run as Administrator
    • It will show a Black screen with some data on it
    • Right click on the screen and select > Select All
    • Press Control+C
    • Open a notepad and press Control+V
    • Post the resultant log here please

    Please include the following in your next post:

    • Rootkit Unhooker log (Attach it if it's too big to post)
    • Bootkit Remover log
     
  5. Noam09

    Noam09 Thread Starter

    Joined:
    Jan 21, 2008
    Messages:
    59
    I have two hard drives installed. Should I have Rootkit Unhooker scan both of them or just the system drive (C)? It's taking very long (but maybe that's normal).

    EDIT: I just BSOD'd (during the scan). :(
    Also, I'm seeing an "Active Desktop Recovery" desktop background, with the restore button. Didn't click it though, maybe the trojan is trying to trick me.
     
  6. RPMcMurphy

    RPMcMurphy Malware Specialist

    Joined:
    Apr 26, 2010
    Messages:
    444
    Try one more time, on the system drive only. Make sure you have disabled all of your security applications. If it crashes again, move on to the Bootkit Remover scan.
     
  7. Noam09

    Noam09 Thread Starter

    Joined:
    Jan 21, 2008
    Messages:
    59
    Running the scan again just for C. This time it didn't ask to check/uncheck anything, just the drives.
    Will post log if it succeeds.
     
  8. Noam09

    Noam09 Thread Starter

    Joined:
    Jan 21, 2008
    Messages:
    59
    A minute after I started the scan again I BSOD'd. Took me 3 tries to get my PC to boot again.
    Should I run the Bootkit Remover now?

    EDIT: I just noticed that Windows Defender was running in the background. I noticed it in task manager, there wasn't even an icon in the taskbar. Sorry about that. =\
    Running scan one more time.
     
  9. RPMcMurphy

    RPMcMurphy Malware Specialist

    Joined:
    Apr 26, 2010
    Messages:
    444
    OK, if it crashes again just move on to Bootkit Remover.
     
  10. Noam09

    Noam09 Thread Starter

    Joined:
    Jan 21, 2008
    Messages:
    59
    While running the scan a popup came up, and the moment I clicked [X] to close it, BSOD. I'm pretty sure I disabled Defender correctly, though I don't think it's what caused the BSOD.
    I ran remover.exe and got this:
    [​IMG]

    Thanks again for your help. I really appreciate it. :)
     
  11. RPMcMurphy

    RPMcMurphy Malware Specialist

    Joined:
    Apr 26, 2010
    Messages:
    444
    Hi Noam09,

    Thanks for your patience. Let's get started. Most of today's malware requires several steps to clean, so stay with me until I tell you that you're all set:

    [​IMG] Download ComboFix from one of the following locations:
    Link 1
    Link 2

    VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

    * IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

    • Double click on ComboFix.exe & follow the prompts.

    As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    [​IMG]


    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


    [​IMG]


    • Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
    Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.


    Please include the following in your next post:

    • ComboFix log
     
  12. Noam09

    Noam09 Thread Starter

    Joined:
    Jan 21, 2008
    Messages:
    59
    I attached the ComboFix log since it's pretty big. During its run a few "Windows - No Disk" errors popped up, I just clicked "Continue". Also a "IE isn;t set as your default browser" and I cliked "No". I hope I didn't mess up aything by doing that.
    BTW I noticed a program called ProxyFirewall in some of the logs... I'm not saying it caused this mess, but I don't really remember installing it. But maybe I'm just senile. =\
    Thanks!
     

    Attached Files:

  13. RPMcMurphy

    RPMcMurphy Malware Specialist

    Joined:
    Apr 26, 2010
    Messages:
    444
    Noam09,

    [​IMG] Earlier on ComboFix installed the Recovery Console. We're going to use that now. Please print and read the instructions and ask any questions you have before you start:

    Reboot your machine and when the Boot Menu flashes up - select "Microsoft Windows Recovery Console"
    (you need to be very fast with the arrow key as you only have a couple of seconds before it defaults to the windows XP bootup)

    [​IMG]

    [​IMG]

    When you get to the above screen, take note of the number that references your operating system.
    If it's '1' like the picture above, type 1 and press Enter

    [​IMG]

    Next type FIXMBR

    [​IMG]

    If it ask if you're sure you want to write a new MBR, answer 'Y'

    Then type EXIT to reboot the machine.

    [​IMG] Reboot your computer and re-run Bootkit remover as we did initially

    • Right click Remover.exe and select Run as Administrator
    • It will show a Black screen with some data on it
    • Right click on the screen and select > Select All
    • Press Control+C
    • Open a notepad and press Control+V
    • Post the resultant log here please
     
  14. Noam09

    Noam09 Thread Starter

    Joined:
    Jan 21, 2008
    Messages:
    59
    One question before I start: When it says "become inaccessible", does that mean I could lose all of the data on my Hard Drives? Or does it just mean Windows won't be able to locate the Hard Drives?
     
  15. RPMcMurphy

    RPMcMurphy Malware Specialist

    Joined:
    Apr 26, 2010
    Messages:
    444
    You have a newer infection that has affected your MBR (Master Boot Record). This can not be fixed from within windows, thus we are using the Recovery Console which is the safest method for cleaning this infection. Although we have successfully removed this infection from several systems using this method, data loss is always a possibility.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/935101

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice